Vulnerability reporting has always been a complex issue, and it hasn’t gotten much simpler in recent years, especially when it comes to disclosing issues to the maintainers of open source projects. GitHub is hoping to help address this problem with a new feature that allows researchers to report bugs privately and directly to project maintainers.
The new feature enables the maintainer of a repository on GitHub to turn on the functionality in the security settings, and once it’s enabled, researchers will see a new button that they can use to deliver vulnerability reports privately to the maintainer. GitHub announced the new feature on Wednesday and it is available now for maintainers to try out.
“Private vulnerability reporting is a collaborative solution for security researchers and open source maintainers to report and fix vulnerabilities in open source repositories. It provides a convenient, standardized, and secret way to report, assess, and address vulnerabilities,” GitHub CEO Thomas Dohmke said in a post.
“Private vulnerability reporting makes it easy for community members to privately submit a report within GitHub to public repository owners, who can then take appropriate action within their GitHub workflow.”
One of the obstacles that researchers encounter when trying to report a vulnerability to the maintainer of a project is finding good contact information. While some maintainers may list an email address for contact, many others do not. In those cases, researchers often have to track down maintainers on Twitter or elsewhere to try to report a vulnerability. That may work, but it also may be a dead end, or it may anger the maintainer.
“Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even creat public issues. This situation can potentially lead to a public disclosure of the vulnerability details,” the description of the new feature says.
With the new private reporting feature, when a researcher reports a vulnerability, the maintainer of the repository can decide whether to accept it, reject it, or ask some questions of the reporter.